[logs] Passive syslog monitoring
ron dilley
ron.dilley at gmail.com
Tue Jan 29 16:25:34 PST 2008
Morty,
No argument there.
I built the first version to monitor a DMZ where I was unable to get the
system administrators and network administrators to send their log data to a
central repository. I put a box with lots of disk in the DMZ and always had
the logs that I needed. When I was finally able to get them to see the
advantage of having all the data in one place, I had the firewall rules they
used to send the data to their internal log servers removed and had them
point their clients to a silent drop rule while all logs were sucked off the
wire.
Later, I implemented a log analysis appliance that wanted logs to come from
the clients directly. This did not work for me as I had a well established
central logging infrastructure so I modified psmd to suck the traffic
destined for loghost off the wire and forward them to the appliance as
though they had come directly from the clients.
Ron
On Jan 29, 2008 4:06 PM, Mordechai T. Abzug <morty at frakir.org> wrote:
> On Tue, Jan 29, 2008 at 03:00:17PM -0800, ron dilley wrote:
>
> > I have just posted an update to the Passive Syslog Monitoring Daemon
> > ( http://sourceforge.net/projects/psmd).
>
> That sounds cool. But what's the point? The risk of running a daemon
> is not because your OS has an open socket, it's because you're
> processing untrusted data. Most security checklists say to disable
> open sockets, but only because they equate open sockets with
> processing untrusted data. A passively listening daemon is still
> processing untrusted data.
>
> - Morty
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.loganalysis.org/pipermail/loganalysis/attachments/20080129/38682854/attachment.html
More information about the LogAnalysis
mailing list